diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.java
index c55785ea41..1d2e409533 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.java
@@ -16,10 +16,9 @@
 
 package org.springframework.security.oauth2.server.resource.authentication;
 
-import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Predicate;
 
@@ -49,7 +48,7 @@ import org.springframework.util.Assert;
  *
  * To use, this class must be able to determine whether the `iss` claim is trusted. Recall
  * that anyone can stand up an authorization server and issue valid tokens to a resource
- * server. The simplest way to achieve this is to supply a list of trusted issuers in the
+ * server. The simplest way to achieve this is to supply a set of trusted issuers in the
  * constructor.
  *
  * This class derives the Issuer from the `iss` claim found in the
@@ -70,7 +69,7 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
 	 * @param trustedIssuers an array of trusted issuers
 	 */
 	public JwtIssuerAuthenticationManagerResolver(String... trustedIssuers) {
-		this(Arrays.asList(trustedIssuers));
+		this(Set.of(trustedIssuers));
 	}
 
 	/**
@@ -81,8 +80,7 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
 	public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers) {
 		Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty");
 		this.authenticationManager = new ResolvingAuthenticationManager(
-				new TrustedIssuerJwtAuthenticationManagerResolver(
-						Collections.unmodifiableCollection(trustedIssuers)::contains));
+				new TrustedIssuerJwtAuthenticationManagerResolver(Set.copyOf(trustedIssuers)::contains));
 	}
 
 	/**
@@ -91,7 +89,7 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
 	 *
 	 * Note that the {@link AuthenticationManagerResolver} provided in this constructor
 	 * will need to verify that the issuer is trusted. This should be done via an allowed
-	 * list of issuers.
+	 * set of issuers.
 	 *
 	 * One way to achieve this is with a {@link Map} where the keys are the known issuers:
 	 * <pre>
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.java
index 52f4411c0e..a19a2a6c4f 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.java
@@ -17,10 +17,9 @@
 package org.springframework.security.oauth2.server.resource.authentication;
 
 import java.time.Duration;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Predicate;
 
@@ -51,7 +50,7 @@ import org.springframework.web.server.ServerWebExchange;
  *
  * To use, this class must be able to determine whether the `iss` claim is trusted. Recall
  * that anyone can stand up an authorization server and issue valid tokens to a resource
- * server. The simplest way to achieve this is to supply a list of trusted issuers in the
+ * server. The simplest way to achieve this is to supply a set of trusted issuers in the
  * constructor.
  *
  * This class derives the Issuer from the `iss` claim found in the
@@ -74,7 +73,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
 	 * @param trustedIssuers an array of trusted issuers
 	 */
 	public JwtIssuerReactiveAuthenticationManagerResolver(String... trustedIssuers) {
-		this(Arrays.asList(trustedIssuers));
+		this(Set.of(trustedIssuers));
 	}
 
 	/**
@@ -85,7 +84,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
 	public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> trustedIssuers) {
 		Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty");
 		this.authenticationManager = new ResolvingAuthenticationManager(
-				new TrustedIssuerJwtAuthenticationManagerResolver(new ArrayList<>(trustedIssuers)::contains));
+				new TrustedIssuerJwtAuthenticationManagerResolver(Set.copyOf(trustedIssuers)::contains));
 	}
 
 	/**
@@ -94,7 +93,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
 	 *
 	 * Note that the {@link ReactiveAuthenticationManagerResolver} provided in this
 	 * constructor will need to verify that the issuer is trusted. This should be done via
-	 * an allowed list of issuers.
+	 * an allowed set of issuers.
 	 *
 	 * One way to achieve this is with a {@link Map} where the keys are the known issuers:
 	 * <pre>